Feeds

NYT scareware scam linked to click fraud botnet

Ukrainian fan club cheer on all sorts of mischief

Security for virtualized datacentres

A botnet, initially run through compromised servers in the Bahamas, has been blamed for the recent upsurge in scareware scams.

Researchers from security firm Click Forensics have tied the Bahama botnet to a recent attack that resulted in pop-up ads punting rogue anti-virus software appearing via the New York Times website. The scam attempted to trick surfers into purchasing software called Personal Antivirus by falsely warning that their systems were infected with non-existent threats.

Personal Antivirus, far from offering a clean-up utility as advertised, infected compromised systems with a Trojan. Click Forensics said this Trojan is distributed by a gang of cybercrooks in the Ukraine called the Ukrainian fan club, who are also heavily involved in click fraud.

"We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street," Click Forensics reports. "We’re pretty sure the Bahama botnet is related to the Ukrainian fan club and the NYTimes.com scareware because they each phone back to a bogus 'Windows protection' domain located on the same IP address."

Compromised hosts in the Bahama botnet generate auto-generated clicks as part of a click fraud scam that offers an additional income for crooks. This click fraud traffic is carefully designed to elude detection by search engines and ad networks by mimicking genuine searches. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines," Paul Pellman, chief exec of Click Forensic, explained.

Click Forensics first detected the Bahama botnet when they discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas. Since then the zombie network has been reprogrammed to redirect traffic through other intermediate sites hosted in the Netherlands, US and the UK. The click fraud carried out by the botnet is explained in more detail in the video (below).

More on the Ukrainian "fan club" and its involvement in the NYT malvertisement campaign can be found in a blog post by independent security researcher Dancho Danchev here. ®

Internet Security Threat Report 2014

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.